[Python-checkins] [3.9] bpo-43882 - Mention urllib.parse changes in Whats new section. (GH-26276)
orsenthil
webhook-mailer at python.org
Fri May 21 08:30:09 EDT 2021
https://github.com/python/cpython/commit/0593ae84af9e0e8332644e7ed13d7fd8306c4e1a
commit: 0593ae84af9e0e8332644e7ed13d7fd8306c4e1a
branch: 3.9
author: Senthil Kumaran <senthil at python.org>
committer: orsenthil <skumaran at gatech.edu>
date: 2021-05-21T05:30:04-07:00
summary:
[3.9] bpo-43882 - Mention urllib.parse changes in Whats new section. (GH-26276)
* [3.9] bpo-43882 - Mention urllib.parse changes in Whats new section.
* Add the missing section.
files:
M Doc/whatsnew/3.9.rst
diff --git a/Doc/whatsnew/3.9.rst b/Doc/whatsnew/3.9.rst
index 7f790e5bd7555e..c29715d192f953 100644
--- a/Doc/whatsnew/3.9.rst
+++ b/Doc/whatsnew/3.9.rst
@@ -1560,3 +1560,17 @@ IPv4 address sent from the remote server when setting up a passive data
channel. We reuse the ftp server IP address instead. For unusual code
requiring the old behavior, set a ``trust_server_pasv_ipv4_address``
attribute on your FTP instance to ``True``. (See :issue:`43285`)
+
+Notable changes in Python 3.9.5
+===============================
+
+urllib.parse
+------------
+
+The presence of newline or tab characters in parts of a URL allows for some
+forms of attacks. Following the WHATWG specification that updates :rfc:`3986`,
+ASCII newline ``\n``, ``\r`` and tab ``\t`` characters are stripped from the
+URL by the parser in :mod:`urllib.parse` preventing such attacks. The removal
+characters are controlled by a new module level variable
+``urllib.parse._UNSAFE_URL_BYTES_TO_REMOVE``. (See :issue:`43882`)
+
More information about the Python-checkins
mailing list